Function Identity Infowith Signin Risk
Query
// Save as a function in your workspace then invoke via its name, i.e if you save as SigninRisk
// SigninRisk | where TimeGenerated > ago(30d) | where UserPrincipalName == "[email protected]"
// SigninRisk | where TimeGenerated > ago(30d) | where AssignedRoles contains "Global Administrator"
// This will join the users identity information, sign in data and any risky signins for your query
IdentityInfo
| where TimeGenerated > ago (21d)
| summarize arg_max(TimeGenerated,*) by AccountUPN
| join kind=inner(
SigninLogs) on $left.AccountUPN==$right.UserPrincipalName
| project SigninTime=TimeGenerated1, UserPrincipalName, AppDisplayName, ResultType, AssignedRoles, Location, UserAgent, AuthenticationRequirement, Country, City, CorrelationId
| join kind=inner (
AADUserRiskEvents) on CorrelationId
| project SigninTime, UserPrincipalName, AppDisplayName, ResultType, DetectionTimingType, RiskState, RiskLevel, Location, AssignedRoles, UserAgent, AuthenticationRequirement, Country, CityExplanation
This query retrieves information about user sign-ins and any associated risks. It filters the data to include sign-ins within the last 30 days and for a specific user or users with a specific role. It then joins the user's identity information, sign-in data, and any risky sign-ins. The final result includes details such as the sign-in time, user's email, application name, sign-in result, risk level, location, assigned roles, user agent, authentication requirement, country, and city.
Details

Matt Zorich
Released: November 9, 2021
Tables
IdentityInfoSigninLogsAADUserRiskEvents
Keywords
IdentityInfoSigninLogsAADUserRiskEvents
Operators
whereago==contains|joinkind=inner$left$rightprojectsummarizearg_maxbyonandor